Two newly disclosed vulnerabilities in the Kaleris Navis N4 terminal operating system could allow attackers to remotely compromise container terminal infrastructure, according to a security advisory released by the Cybersecurity and Infrastructure Security Agency (CISA).
Kaleris Navis N4 is a widely used terminal operating system in the global logistics sector, and the identified flaws pose a serious risk to the integrity of supply chain operations.
The most critical of the two flaws, CVE-2025-2566, has been assigned a CVSS v3.1 score of 9.8, indicating maximum severity. This vulnerability arises from unsafe Java deserialization within the Ultra Light Client (ULC) of Navis N4.
“An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server,” the advisory explains.
This type of vulnerability could allow attackers to gain full control of affected systems without requiring credentials, posing a grave threat to the operational integrity of container terminals.
The second vulnerability, CVE-2025-5087, rated with a CVSS score of 5.9, stems from cleartext transmission of sensitive information. Navis N4’s ULC component uses zlib-compressed data over HTTP, making it possible for network attackers to intercept and extract plaintext credentials and other confidential data.
“An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information,” the report warns.
Kaleris has already issued patched versions across multiple Navis N4 releases, urging users to upgrade to version 3.1.44+ through 3.8.0+ or move directly to version 4.0, which fully replaces the ULC with a secure HTML-based UI.
For those unable to immediately upgrade, Kaleris recommends:
- Placing N4 servers behind a firewall if internet exposure is unnecessary.
- Disabling the ULC endpoint through configuration changes.
- Implementing VPN access, jump systems like Citrix, or strict IP whitelisting for remote connections.
- Enforcing HTTPS on firewalls and load balancers.
- Using firewalls with built-in DDoS protection.
- Applying TLS configuration as per the official Application Security Guide.
“A final option to consider is upgrading to N4 4.0, where the Ultra Light Client has been fully replaced with the HTML UI,” CISA advises.
While no public exploitation has been reported as of this writing, organizations are strongly encouraged to implement the provided mitigations to reduce potential exposure.
